This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
Obviously, private businesses must secure information for many reasons: establishing trust for customers, protecting against lawsuits, and following regulations. And, with some exceptions (such as Equifax), businesses usually operate with information that customers have agreed to hand over.
Cities operate quite differently. They are part of the fabric of our country. And citizens are required to interact with cities if they want to live somewhere.
That means you are given sensitive and confidential information to protect. Yet, cities still fail to protect electronic information appropriately—leaving that information open to hackers, risking stolen information, and increasing the chance of permanent data loss.
Let’s take a tour through a typical city’s information and analyze why it’s so important to protect.
1. City records
The records you must retain for specific periods of time vary depending on the information. Employee accident reports will differ from visitor logs. Business licenses will differ from meeting minutes. Plus, different city records will vary in confidentiality and sensitivity, leading to different processes related to releasing those records in case of Open Records Requests.
While a city can often retain and eventually find records if sought, instances of chaos occur when records are hard to find or remain paper-based. In a previous blog post, we talked about the importance of securing city records by:
- Creating authorization policies that only allow specific people to edit or delete city records.
- Protecting access to the overall document management system with a strong password policy and other security features.
- Keeping the document management system software patched and updated.
- Ensuring that files are encrypted and protected, as needed.
- Tracking all document interactions and changes while creating an audit trail (which is especially useful for compliance or legal issues).
At the most foundational level, these security tips will help you protect city records along with other specialized information.
2. Financial information
Your city’s financial information includes all operational finances, tax information, and online payment information. Over the past few years, we’ve seen cities relentlessly targeted for their financial information—with hackers seeking to take over bank accounts, steal money, and sell financial data on the black market. The City of Spring Hill, Tennessee experienced ransomware that took its financial software offline, and the City of Miami Beach, Florida lost $3.6 million in preventable fraud after a third party stole this money undetected for six months.
Preventing threats to your financial data requires information security strategies such as:
- Replacing older software that is unsupported by the original vendor and lacks up-to-date security patches.
- Shoring up any security vulnerabilities related to financial system access—from weak passwords to misconfigured servers.
- Training employees about phishing, social engineering, and scamming techniques that hackers use to acquire financial information.
3. Personnel information
There’s a reason why city council meetings keep personnel discussions confidential. Many extremely sensitive details are included with personnel information such as personal history, background checks, tests (such as drug tests), healthcare, and work performance. Similar to points made above, you need to protect that information with special care. Information security is especially important here because you are legally required to protect personnel details.
4. Personally identifiable information (PII)
Protecting PII is so important that Sophicity CEO Dave Mims presented on this topic to the Kentucky Master Municipal Clerks Academy in August 2018. PII includes information such as a person’s name, physical address, email address, race, sex, date of birth, social security number, driver's license number, and other personal details. This recorded information, in paper or digital form, is used by individuals to identify themselves when conducting transactions with entities.
Not protecting this information leaves it open for theft by hackers, and this information is used and sold to commit identity theft. There is risk and liability in maintaining PII, so confirm if you need to keep it and securely purge what PII you don’t need to keep. To protect the PII you do keep:
- Secure access and encrypt it.
- Don’t put PII on a laptop or portable device.
- Identify and address any security vulnerabilities related to PII.
- Follow state records retention schedules.
- Destroy expired PII.
- Notify appropriate personnel in the event of an incident.
5. Public safety information
In 2017, we reported on a case where ransomware led to permanent data loss at the City of Cockrill Hill in Texas. As we noted: “[A defense lawyer working for a client who faced prison time] needed specific evidence to help his client avoid jail time. That evidence? Permanently lost. In other words, the data loss—rooted in a technology problem—could literally send a person to jail or serve a longer prison sentence because important evidence disappeared forever.”
In another instance, the City of Riverside, Ohio experienced so many ransomware compromises that they lost access to Ohio’s law enforcement databases. In a blog post talking about this incident, we said, “Imagine if your police department was unable to access state or national crime databases. Today, so much information access and sharing requires interdependence—and with interdependence comes responsibility. Do you think a friend would feel comfortable leaving valuables at your house if you never locked it? The same logic applies here. Cities need to implement basic cybersecurity best practices or risk losing access to important information from government agencies.”
Public safety departments need to keep information secure with modernized technology, up-to-date software (that receives regular security patches), and proactive monitoring and alerting of your technology systems for issues. Otherwise, your lack of information security risks exposing sensitive case and investigation data to a hacking incident that may lead to severe financial, legal, and operational repercussions.
As stewards of important citizen and city business information, cities need to treat electronic information just as they would treat valuables locked up in a vault or locking the doors of buildings. How secure is your information?